diff options
| -rw-r--r-- | js/tests/unit/modal.js | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/js/tests/unit/modal.js b/js/tests/unit/modal.js index 3b028dc10..5b265df15 100644 --- a/js/tests/unit/modal.js +++ b/js/tests/unit/modal.js @@ -597,4 +597,40 @@ $(function () { }) .trigger('click') }) + + QUnit.test('should not parse target as html', function (assert) { + assert.expect(1) + var done = assert.async() + + var $toggleBtn = $('<button data-toggle="modal" data-target="<div id="modal-test"><div class="contents"<div<div id="close" data-dismiss="modal"/></div></div>"/>') + .appendTo('#qunit-fixture') + + $toggleBtn.trigger('click') + setTimeout(function () { + assert.strictEqual($('#modal-test').length, 0, 'target has not been parsed and added to the document') + done() + }, 1) + }) + + QUnit.test('should not execute js from target', function (assert) { + assert.expect(0) + var done = assert.async() + + // This toggle button contains XSS payload in its data-target + // Note: it uses the onerror handler of an img element to execute the js, because a simple script element does not work here + // a script element works in manual tests though, so here it is likely blocked by the qunit framework + var $toggleBtn = $('<button data-toggle="modal" data-target="<div><image src="missing.png" onerror="$('#qunit-fixture button.control').trigger('click')"></div>"/>') + .appendTo('#qunit-fixture') + // The XSS payload above does not have a closure over this function and cannot access the assert object directly + // However, it can send a click event to the following control button, which will then fail the assert + $('<button>') + .addClass('control') + .on('click', function () { + assert.notOk(true, 'XSS payload is not executed as js') + }) + .appendTo('#qunit-fixture') + + $toggleBtn.trigger('click') + setTimeout(done, 500) + }) }) |